Code Red Scenario: E-commerce Platform Crisis

Code Red Scenario: E-commerce Platform Crisis

Velocity Commerce: E-commerce platform, 800 employees, 5,000 online retailers

• Code Red

STAKES

Retailer revenue + Customer shopping data + Platform reputation + Holiday shopping season

HOOK

Velocity Commerce is managing Black Friday weekend traffic for 5,000 online retailers when their IIS web servers begin replacing retailer storefronts with defacement messages. The compromised servers are simultaneously generating massive outbound attack traffic – the platform’s own infrastructure is being used to attack other hosts across the internet while retailers lose critical holiday revenue during the most important shopping period of the year.

PRESSURE

• Black Friday weekend - peak shopping season revenue loss threatens retailer businesses + Platform reputation damage affects company survival

FRONT • 90 minutes • Intermediate

Velocity Commerce: E-commerce platform, 800 employees, 5,000 online retailers

• Code Red

NPCs

• Victoria Chen (Platform Operations Director): Managing peak holiday shopping traffic for 5,000 online retailers, watching e-commerce platforms get defaced during the most critical revenue period of the year
• Mark Rodriguez (Security Engineer): Discovering that platform servers are participating in internet-wide attacks while retailer websites display defacement messages instead of products
• Amanda Johnson (Client Success Manager): Managing crisis communications with thousands of retailers losing holiday revenue due to platform compromise during Black Friday weekend
• Kevin Wu (Infrastructure Manager): Coordinating emergency response while maintaining platform availability for retailers dependent on holiday shopping revenue

SECRETS

• E-commerce platform delayed IIS security patches during holiday preparation to avoid disrupting critical shopping season
• Thousands of retailer websites share vulnerable server infrastructure with minimal security isolation
• Platform's infected servers are now attacking other e-commerce and financial services infrastructure across the internet

Code Red Scenario: E-commerce Platform Crisis

Brightpath Retail: E-commerce platform, 600 employees, 5,000 online retailers

• Code Red

STAKES

Retailer revenue + Customer shopping data + Platform reputation + Holiday shopping season

HOOK

Brightpath Retail is managing Black Friday weekend traffic for 5,000 online retailers when their IIS web servers begin replacing retailer storefronts with defacement messages. The compromised servers are simultaneously generating massive outbound attack traffic – the platform’s own infrastructure is being used to attack other hosts across the internet while retailers lose critical holiday revenue during the most important shopping period of the year.

PRESSURE

• Black Friday weekend - peak shopping season revenue loss threatens retailer businesses + Platform reputation damage affects company survival

FRONT • 90 minutes • Intermediate

Brightpath Retail: E-commerce platform, 600 employees, 5,000 online retailers

• Code Red

NPCs

• Siobhan Brennan (Platform Operations Director): Managing peak holiday shopping traffic for 5,000 online retailers, watching e-commerce platforms get defaced during the most critical revenue period of the year
• Callum Reid (Security Engineer): Discovering that platform servers are participating in internet-wide attacks while retailer websites display defacement messages instead of products
• Ngozi Okafor (Client Success Manager): Managing crisis communications with thousands of retailers losing holiday revenue due to platform compromise during Black Friday weekend
• Tariq Hussain (Infrastructure Manager): Coordinating emergency response while maintaining platform availability for retailers dependent on holiday shopping revenue

SECRETS

• E-commerce platform delayed IIS security patches during holiday preparation to avoid disrupting critical shopping season
• Thousands of retailer websites share vulnerable server infrastructure with minimal security isolation
• Platform's infected servers are now attacking other e-commerce and financial services infrastructure across the internet

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Code Red E-commerce Platform Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Code Red E-commerce Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

“It’s Black Friday morning at Velocity Commerce, and the platform is handling record traffic for 5,000 online retailers during the most critical shopping weekend of the year. Retailer websites are displaying ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ instead of product catalogs and shopping carts. At the same time, your IIS servers are generating massive outbound scanning traffic hammering external hosts – your own infrastructure appears to be attacking the rest of the internet.“

“It’s 14:30 on a Wednesday at Brightpath Retail, and the platform is handling record traffic for 5,000 online retailers during the most critical shopping weekend of the year. Retailer websites are displaying ‘HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ instead of product catalogs and shopping carts. At the same time, your IIS servers are generating massive outbound scanning traffic hammering external hosts – your own infrastructure appears to be attacking the rest of the internet.“

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Retailer e-commerce websites displaying defacement messages instead of product catalogs”
• “Shopping cart and payment systems showing ‘Hacked By Chinese!’ messages during peak sales”
• “Platform IIS servers generating massive scanning traffic affecting internet bandwidth”
• “5,000 online retailers unable to process holiday sales through compromised platform infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• E-commerce platform forensics reveal buffer overflow exploitation targeting holiday shopping infrastructure
• Shopping transaction system analysis shows memory-only worm infection across platform web servers
• Holiday shopping timeline analysis indicates compromise during peak Black Friday traffic

Protector System Analysis:

Note🛡️ Protector System Analysis

• E-commerce network monitoring reveals infected servers participating in coordinated attacks against financial infrastructure
• Platform security assessment shows delayed patch management affecting critical holiday shopping operations
• Customer shopping data integrity analysis indicates potential exposure through compromised e-commerce systems

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Internet traffic analysis reveals e-commerce platform participating in attacks against other shopping and financial services
• Retail network communication patterns show coordination with other infected e-commerce and payment systems
• Holiday shopping traffic analysis indicates massive revenue impact across thousands of dependent retailers

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Retailer communications regarding holiday revenue loss and customer shopping disruption
• Customer service management dealing with shoppers unable to complete purchases during Black Friday
• E-commerce industry coordination about platform security and holiday shopping protection

Mid-Scenario Pressure Points:

• Hour 1: Major retailer reports $2 million in lost Black Friday sales due to defaced e-commerce platform
• Hour 2: Payment processing companies report attacks originating from Velocity Commerce’s infrastructure
• Hour 3: 5,000 online retailers demanding immediate platform restoration as holiday shopping weekend continues
• Hour 4: News media reports widespread e-commerce disruption affecting Black Friday shopping nationwide

Evolution Triggers:

• If response exceeds 12 hours, retailers lose entire Black Friday weekend revenue affecting annual business results
• If worm containment fails, infection spreads to payment processing and financial services infrastructure
• If platform restoration is delayed, customer shopping data exposure threatens long-term business relationships

Resolution Pathways:

Technical Success Indicators:

• Emergency patch deployment stops worm propagation across e-commerce platform infrastructure
• Retailer websites restored through secure backup systems maintaining holiday shopping capabilities
• Platform servers removed from coordinated attack network while preserving shopping transaction processing

Business Success Indicators:

• E-commerce operations restored with minimal impact on retailer holiday revenue and customer shopping
• Platform reputation protected through rapid response and transparent communication with retail partners
• Customer shopping data secured preventing long-term damage to e-commerce trust and relationships

Learning Success Indicators:

• Team understands e-commerce platform’s critical role in holiday retail economy and internet infrastructure
• Participants recognize platform cybersecurity responsibilities during peak commercial periods
• Group demonstrates coordination between business continuity and internet security obligations

Initial Symptoms to Present:

Warning🚨 Initial User Reports

• “Retailer e-commerce websites displaying defacement messages instead of product catalogs”
• “Shopping cart and payment systems showing ‘Hacked By Chinese!’ messages during peak sales”
• “Platform IIS servers generating massive scanning traffic affecting internet bandwidth”
• “5,000 online retailers unable to process holiday sales through compromised platform infrastructure”

Key Discovery Paths:

Detective Investigation Leads:

Note🔍 Detective Investigation Path

• E-commerce platform forensics reveal buffer overflow exploitation targeting holiday shopping infrastructure
• Shopping transaction system analysis shows memory-only worm infection across platform web servers
• Holiday shopping timeline analysis indicates compromise during peak Black Friday traffic

Protector System Analysis:

Note🛡️ Protector System Analysis

• E-commerce network monitoring reveals infected servers participating in coordinated attacks against financial infrastructure
• Platform security assessment shows delayed patch management affecting critical holiday shopping operations
• Customer shopping data integrity analysis indicates potential exposure through compromised e-commerce systems

Tracker Network Investigation:

Note🌐 Tracker Network Investigation

• Internet traffic analysis reveals e-commerce platform participating in attacks against other shopping and financial services
• Retail network communication patterns show coordination with other infected e-commerce and payment systems
• Holiday shopping traffic analysis indicates massive revenue impact across thousands of dependent retailers

Communicator Stakeholder Interviews:

Note🗣️ Communicator Stakeholder Interviews

• Retailer communications regarding holiday revenue loss and customer shopping disruption
• Customer service management dealing with shoppers unable to complete purchases during Black Friday
• E-commerce industry coordination about platform security and holiday shopping protection

Mid-Scenario Pressure Points:

• Hour 1: Major retailer reports £1.5 million in lost Black Friday sales due to defaced e-commerce platform
• Hour 2: Payment processing companies report attacks originating from Brightpath Retail’s infrastructure
• Hour 3: 5,000 online retailers demanding immediate platform restoration as holiday shopping weekend continues
• Hour 4: News media reports widespread e-commerce disruption affecting Black Friday shopping nationwide

Evolution Triggers:

• If response exceeds 12 hours, retailers lose entire Black Friday weekend revenue affecting annual business results
• If worm containment fails, infection spreads to payment processing and financial services infrastructure
• If platform restoration is delayed, customer shopping data exposure threatens long-term business relationships

Resolution Pathways:

Technical Success Indicators:

• Emergency patch deployment stops worm propagation across e-commerce platform infrastructure
• Retailer websites restored through secure backup systems maintaining holiday shopping capabilities
• Platform servers removed from coordinated attack network while preserving shopping transaction processing

Business Success Indicators:

• E-commerce operations restored with minimal impact on retailer holiday revenue and customer shopping
• Platform reputation protected through rapid response and transparent communication with retail partners
• Customer shopping data secured preventing long-term damage to e-commerce trust and relationships

Learning Success Indicators:

• Team understands e-commerce platform’s critical role in holiday retail economy and internet infrastructure
• Participants recognize platform cybersecurity responsibilities during peak commercial periods
• Group demonstrates coordination between business continuity and internet security obligations

Common IM Facilitation Challenges:

If Retailer Impact Is Underestimated:

“Your technical response is solid, but Amanda just reported that 5,000 online retailers are losing Black Friday revenue and threatening to switch platforms. How do you balance worm investigation with critical business relationships?“

“Your technical response is solid, but Ngozi just reported that 5,000 online retailers are losing Black Friday revenue and threatening to switch platforms. How do you balance worm investigation with critical business relationships?“

If Internet Attack Participation Is Ignored:

“While you’re restoring shopping platforms, Mark discovered that your servers are attacking payment processing companies and other e-commerce infrastructure. How does this change your response strategy?“

“While you’re restoring shopping platforms, Callum discovered that your servers are attacking payment processing companies and other e-commerce infrastructure. How does this change your response strategy?“

If Holiday Timeline Is Overlooked:

“Victoria needs to know: can the platform be restored in time to capture Cyber Monday traffic, or will retailers lose the entire holiday shopping weekend?“

“Siobhan needs to know: can the platform be restored in time to capture Cyber Monday traffic, or will retailers lose the entire holiday shopping weekend?“

Success Metrics for Session:

• Team understands e-commerce platform’s role in holiday retail economy and internet security
• Retailer business continuity maintained as priority throughout incident response
• Internet security coordination demonstrates understanding of e-commerce infrastructure responsibility
• Learning includes e-commerce platform security and customer shopping data protection
• Response strategy balances immediate business needs with internet infrastructure obligations

Template Compatibility

Quick Demo (35-40 min)

• Rounds: 1
• Actions per Player: 1
• Investigation: Guided
• Response: Pre-defined
• Focus: Use the “Hook” and “Initial Symptoms” to quickly establish e-commerce holiday crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing worm propagation patterns and e-commerce infrastructure vulnerabilities.

Lunch & Learn (75-90 min)

• Rounds: 2
• Actions per Player: 2
• Investigation: Guided
• Response: Pre-defined
• Focus: This template allows for deeper exploration of e-commerce platform cybersecurity challenges. Use the full set of NPCs to create realistic holiday shopping pressures. The two rounds allow Code Red to spread affecting more retailers, raising stakes. Debrief can explore balance between business operations and internet infrastructure responsibility.

Full Game (120-140 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing retailer holiday revenue, platform reputation, customer shopping data, and internet security responsibilities. The three rounds allow for full narrative arc including worm’s e-commerce-specific impact and coordinated attack participation.

Advanced Challenge (150-170 min)

• Rounds: 3
• Actions per Player: 2
• Investigation: Open
• Response: Creative
• Complexity: Add red herrings (e.g., legitimate platform updates causing unrelated shopping disruptions). Make containment ambiguous, requiring players to justify retailer-facing decisions with incomplete information. Remove access to reference materials to test knowledge recall of worm behavior and e-commerce platform security principles.

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “E-commerce platform forensics reveal Code Red worm exploiting IIS buffer overflow vulnerability in web servers hosting 5,000 online retailers. The memory-only worm is spreading autonomously through Velocity Commerce‘s infrastructure, defacing shopping platforms with ’HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ messages during peak Black Friday traffic.”

Clue 2 (Minute 10): “Network monitoring reveals infected platform servers generating massive internet scanning traffic and participating in coordinated attacks against payment processing and financial services infrastructure. Holiday shopping timeline analysis indicates the compromise began during Black Friday preparation when IIS patches were delayed to avoid disrupting critical shopping season.”

Clue 3 (Minute 15): “Real-time traffic analysis shows Velocity Commerce’s infected servers attacking other e-commerce and financial infrastructure across the internet. Platform security assessment reveals 5,000 online retailers have lost Black Friday shopping capabilities, with major retailers reporting multi-million dollar revenue losses during the most critical shopping weekend of the year.”

Pre-Defined Response Options

Option A: Emergency IIS Patching & Platform Isolation

• Action: Immediately deploy emergency IIS patches to all platform servers, isolate infected systems from internet to stop coordinated attacks, restore retailer websites from secure backups, establish emergency shopping platform for Black Friday continuity.
• Pros: Completely stops worm propagation and ends platform participation in internet attacks; enables rapid retailer website restoration for holiday shopping revenue recovery.
• Cons: Requires complete platform patching affecting all 5,000 online retailers temporarily; some shopping data from Black Friday morning may be lost.
• Type Effectiveness: Super effective against Worm type malmons like Code Red; memory-only worm is eliminated through reboot after patching.

Option B: Selective Server Restoration & Revenue Priority

• Action: Quarantine confirmed infected servers, implement prioritized restoration for high-revenue retailers first, maintain shopping capabilities for unaffected retailers while accelerating platform-wide remediation.
• Pros: Allows continued holiday shopping operations for major retailers; protects platform business relationships through revenue-prioritized recovery.
• Cons: Risks continued worm propagation in non-prioritized infrastructure; platform continues participating in internet attacks during selective restoration.
• Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate worm presence or attack participation.

Option C: Platform Reboot & Mass Restoration

• Action: Perform coordinated platform-wide reboot to eliminate memory-only worm, rapidly restore all 5,000 online retailers simultaneously from backups, coordinate with internet security community about attack cessation.
• Pros: Fastest technical solution eliminating worm through memory clearing; demonstrates internet security responsibility through coordinated response.
• Cons: Requires complete platform downtime affecting all retailers simultaneously during Black Friday; doesn’t address underlying IIS vulnerability enabling future reinfection.
• Type Effectiveness: Partially effective against Worm malmon type; eliminates current infection but leaves vulnerability for rapid reinfection.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Discovery & Identification (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): Retailer Support Manager Jennifer reports 500+ urgent tickets from retailers seeing defacement messages instead of product catalogs on Black Friday morning. “Our retailers are losing millions in holiday sales every minute!”
• Clue 2 (Minute 10): Platform forensics reveal Code Red worm exploiting IIS buffer overflow in e-commerce infrastructure. The worm is autonomously spreading through 5,000 online retailers, defacing shopping pages with “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” during peak shopping traffic.
• Clue 3 (Minute 15): E-commerce network monitoring shows infected platform servers generating massive scanning traffic and participating in coordinated attacks against other retail and payment processing infrastructure on the busiest shopping day of the year.
• Clue 4 (Minute 20): Platform Security Director Robert reveals that IIS patches were delayed to avoid disrupting Black Friday preparations. “We couldn’t risk platform updates during our critical revenue period - Black Friday represents 40% of annual retailer income.”

Response Options:

• Option A: Emergency Platform Reboot - Immediately reboot all infected platform servers to clear memory-only worm, restore retailer websites from backups, delay comprehensive patching until after Black Friday weekend.
  • Pros: Fastest path to retailer website restoration; minimal Black Friday disruption; maintains holiday shopping revenue.
  • Cons: Doesn’t patch underlying IIS vulnerability; servers will be reinfected within hours; continues internet attack participation risk.
  • Type Effectiveness: Partially effective - clears current infection but leaves reinfection vector open.
• Option B: Selective Patching with Revenue Priority - Patch high-revenue retailer websites first (major brands), quarantine remaining infected sites, restore services in revenue-prioritized order.
  • Pros: Protects highest-revenue retailers; balances security with business needs; enables controlled restoration.
  • Cons: Smaller retailers remain compromised; differential treatment damages platform trust; partial attack participation continues.
  • Type Effectiveness: Moderately effective - stops propagation in patched systems but worm remains active in others.
• Option C: Platform Isolation & Emergency Shopping Mode - Isolate entire platform from internet to stop attack participation, implement emergency read-only shopping catalog for Black Friday, defer full remediation to next week.
  • Pros: Stops platform’s attack participation immediately; maintains basic shopping capability; allows systematic patching post-holiday.
  • Cons: No transaction processing capability; massive revenue loss for all retailers; emergency mode requires rapid deployment.
  • Type Effectiveness: Moderately effective - contains threat but sacrifices revenue for security.

Round 2: Scope Assessment & Response (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): If Option A (reboot only) was chosen: Within 2 hours, platform is reinfected. Payment processors report that Velocity Commerce servers are attacking their infrastructure. “Visa and Mastercard gateways are being hammered by your platform.”
• Clue 5 (Minute 30): If Option B or C was chosen: Revenue analysis shows major retailers successfully processed Black Friday transactions, but 3,000 small retailers lost 8 hours of peak holiday shopping - representing $500M annual GMV in lost revenue affecting small business survival.
• Clue 6 (Minute 40): Platform forensics reveal worm has been resident for 12 hours, allowing potential access to customer payment data and retailer inventory systems during Black Friday shopping rush.
• Clue 7 (Minute 50): CEO receives calls from major retailers threatening platform migration if Black Friday revenue losses aren’t compensated. “Target and Best Buy are considering moving to competitor platforms next year.”
• Clue 8 (Minute 55): Legal counsel advises that customer payment data exposure requires breach notification under FTC, PCI-DSS, state privacy laws and state laws. Black Friday weekend timeline complicates customer communication about potential credit card compromise.

Response Options:

• Option A: Emergency Full Patching with Retailer Compensation - Deploy comprehensive IIS patching across entire platform immediately, coordinate simultaneous retailer website restoration, offer revenue-loss compensation to affected retailers, issue proactive payment data exposure notification.
  • Pros: Completely eliminates worm; demonstrates retailer partnership through compensation; meets regulatory requirements; protects long-term platform trust.
  • Cons: Brief downtime affects remaining Black Friday sales; compensation is expensive; acknowledges security failure during critical period.
  • Type Effectiveness: Super effective against Worm type - eliminates vulnerability and infection completely.
• Option B: Weekend Containment with Post-Holiday Remediation - Maintain current containment state through Black Friday weekend, implement emergency transaction security monitoring, schedule comprehensive patching for Monday after holiday weekend ends.
  • Pros: Maximizes Black Friday revenue recovery; allows systematic thorough patching; minimizes holiday disruption.
  • Cons: Extended vulnerability window; continued limited attack participation; delayed breach notification may violate regulations.
  • Type Effectiveness: Moderately effective - maintains containment but delays complete remediation.
• Option C: Third-Party Support & Parallel Platform - Engage external e-commerce security consultants, implement parallel backup shopping platform for critical retailers, conduct comprehensive forensic analysis of payment data exposure while maintaining operations.
  • Pros: Expert assistance accelerates response; business continuity for major retailers; thorough payment data assessment.
  • Cons: Expensive external support during holiday; potential payment data exposure to consultants; admission of insufficient internal capability.
  • Type Effectiveness: Moderately effective - improves response quality but extends timeline and increases cost.

Round Transition Narrative

After Round 1 → Round 2:

The team’s initial response determines whether the platform quickly returns to vulnerable operation (reboot approach) or maintains containment with significant retailer revenue impact (isolation/selective approaches). Either way, the situation escalates as major retailers threaten migration, payment processors report continued attacks, forensics reveals potential customer payment data exposure, and legal counsel demands regulatory compliance during the busiest shopping weekend of the year. The team must balance complete security remediation with retailer relationships, customer payment security, and Black Friday revenue recovery.

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands the scenario from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than receiving timed clues. Round 3 shifts from immediate crisis response to long-term strategic recovery. Rounds run 30-35 minutes each with more open-ended decision-making. Use the Resolution Pathways section to guide your assessment of team progress.

Round 1: Initial Black Friday Worm Outbreak (30 min)

Black Friday morning at Velocity Commerce - the e-commerce platform serves 5,000 online retailers during the biggest shopping day of the year, with $500M annual GMV in retailer revenue flowing through the platform. Security Director Robert detects massive scanning traffic from the platform’s IIS servers, while Retailer Support Manager Jennifer reports a flood of urgent tickets: retailer websites are displaying defacement messages instead of Black Friday deals.

Open investigation guidance: All four Key Discovery Paths are available. Teams typically uncover the unpatched IIS buffer overflow vulnerability (delayed for Black Friday stability), the worm’s autonomous propagation across the shared hosting infrastructure, and the scope of retailer impact (thousands of websites defaced, payment processing disrupted during peak shopping hours).

If the team stalls: “Security Director Robert reveals that he flagged this IIS vulnerability weeks ago, but management decided to delay patching to avoid risking platform stability during Black Friday preparation - ‘Nobody wanted to be the one who broke the shopping platform before the biggest retail day of the year.’”

Facilitation questions:

• “The worm is memory-resident - rebooting servers clears it temporarily but reinfection happens within minutes without patching. How does that change your containment approach?”
• “5,000 online retailers are losing Black Friday revenue right now, and 40% of annual revenue for many small businesses happens this weekend - how urgent is restoration versus investigation?”
• “The platform’s infected servers are attacking payment processor gateways - what are the broader ecosystem implications beyond your own retailers?”

Round 1→2 Transition

The investigation confirms automated IIS worm propagation across the entire e-commerce platform. CEO Sarah Mitchell faces the core tension: patching requires taking the platform offline during Black Friday’s peak hours, but leaving it running means continued retailer website defacement and payment data exposure. Legal Counsel Amanda Lee adds: the worm’s 12-hour dwell time during peak shopping means customer payment data is potentially exposed, triggering FTC, PCI-DSS, state privacy laws notification requirements.

Round 2: Revenue Crisis & Payment Data Exposure (35 min)

If teams chose immediate platform isolation: All 5,000 online retailers are offline during Black Friday. Small retailers (3,000+) face potential business failure from lost holiday revenue. Major retailers are threatening platform migration. Patching proceeds but the revenue damage is catastrophic and growing every hour.

If teams attempted targeted remediation: Worm continues spreading through unpatched servers. Some retailer websites restored but reinfection cycle continues. Payment data exposure window extending. Competing platforms (Shopify, BigCommerce) offering emergency migration incentives to affected retailers.

New developments beyond Round 1: Forensic analysis reveals the platform’s infected servers are participating in coordinated DDoS attacks against Visa and Mastercard payment gateways - threatening the entire retail payment infrastructure, not just Velocity Commerce. Customer credit card data from Black Friday transactions was potentially accessible during the worm’s dwell time. Major retailers (Target and Best Buy) threatening immediate platform migration.

Facilitation questions:

• “3,000 small retailers depend on Black Friday for 40% of annual revenue - does their survival change how you prioritize restoration versus security?”
• “FTC, PCI-DSS, state privacy laws requires customer notification within 72 hours for payment data breaches, but Black Friday weekend notifications would trigger mass credit card cancellations - how do you handle this timing dilemma?”
• “Your platform is attacking payment processors - what’s your responsibility to the broader retail ecosystem beyond your own customers?”

Round 2→3 Transition

The immediate worm propagation is contained - servers are patched and retailer websites are being restored. But the damage is extensive: hours of Black Friday revenue lost, potential payment data exposure affecting millions of transactions, and 5,000 online retailers strained. Focus shifts from hours to weeks: retailer compensation, FTC, PCI-DSS, state privacy laws compliance, and platform security architecture.

Round 3: Long-Term Platform Recovery & Retailer Trust (35 min)

Two weeks post-Black Friday. Revenue impact assessments are in - small retailers lost an average of 60% of expected Black Friday revenue, with some facing insolvency. FTC, PCI-DSS, state privacy laws investigation is active. Velocity Commerce faces a defining question: how do you rebuild as a trusted e-commerce platform when you failed your retailers during their most critical business day?

Investigation focus areas:

• Platform security architecture - Security Director Robert proposes: automated vulnerability management, security-first patch deployment policy (no more delaying patches for business convenience), infrastructure segmentation to limit worm blast radius. 6-8 weeks, $250K investment
• Retailer relationship assessment - CEO Sarah Mitchell evaluates: retailer attrition risk (major retailers considering migration, small retailers considering alternatives), SLA credit obligations, and long-term retailer retention strategy
• Payment data compliance - Legal Counsel Amanda Lee managing FTC, PCI-DSS, state privacy laws investigation, customer notification obligations, and potential liability for payment data exposure during Black Friday transactions
• Small business impact - Jennifer reports that dozens of small retailers face potential closure from lost Black Friday revenue; some are requesting emergency financial support from the platform

Pressure events:

• PCI Security Standards Council opens formal investigation into payment data handling during the breach window
• Class of small retailers files collective legal action seeking Black Friday revenue compensation
• Competing platforms publicly announce “security-guaranteed” Black Friday 2026 campaigns, positioning against Velocity Commerce
• Industry press publishes feature on “The Platform That Ruined Black Friday for 5,000 online retailers”

Facilitation questions:

• “Small retailers face business failure from lost Black Friday revenue - what obligation does the platform have beyond SLA credits?”
• “Management deliberately delayed security patches to protect Black Friday revenue, and that decision caused the breach - how should that accountability work?”
• “How do you convince 5,000 online retailers to trust the platform for next year’s holiday season?”

Victory Conditions

• Worm eliminated with comprehensive platform patching and infrastructure verification
• Retailer website restoration completed with revenue impact assessment
• FTC, PCI-DSS, state privacy laws compliance response coordinated for payment data exposure
• Retailer trust and retention strategy demonstrated for both enterprise and small business segments

Debrief Focus (Full Game)

• How deliberate patch delay decisions during high-revenue periods create vulnerability windows that attackers exploit
• The disproportionate impact of platform outages on small businesses versus enterprises during critical revenue periods
• Why e-commerce platform security failures cascade through payment processing ecosystems affecting far more than direct customers
• The FTC, PCI-DSS, state privacy laws notification timing dilemma when breaches occur during peak shopping periods
• Accountability frameworks when management security decisions directly cause the conditions for a breach

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Clue 1 (Minute 5): “E-commerce platform forensics reveal Code Red worm exploiting IIS buffer overflow vulnerability in web servers hosting 5,000 online retailers. The memory-only worm is spreading autonomously through Brightpath Retail‘s infrastructure, defacing shopping platforms with ’HELLO! Welcome to http://www.worm.com! Hacked By Chinese!’ messages during peak Black Friday traffic.”

Clue 2 (Minute 10): “Network monitoring reveals infected platform servers generating massive internet scanning traffic and participating in coordinated attacks against payment processing and financial services infrastructure. Holiday shopping timeline analysis indicates the compromise began during Black Friday preparation when IIS patches were delayed to avoid disrupting critical shopping season.”

Clue 3 (Minute 15): “Real-time traffic analysis shows Brightpath Retail’s infected servers attacking other e-commerce and financial infrastructure across the internet. Platform security assessment reveals 5,000 online retailers have lost Black Friday shopping capabilities, with major retailers reporting multi-million dollar revenue losses during the most critical shopping weekend of the year.”

Pre-Defined Response Options

Option A: Emergency IIS Patching & Platform Isolation

• Action: Immediately deploy emergency IIS patches to all platform servers, isolate infected systems from internet to stop coordinated attacks, restore retailer websites from secure backups, establish emergency shopping platform for Black Friday continuity.
• Pros: Completely stops worm propagation and ends platform participation in internet attacks; enables rapid retailer website restoration for holiday shopping revenue recovery.
• Cons: Requires complete platform patching affecting all 5,000 online retailers temporarily; some shopping data from Black Friday morning may be lost.
• Type Effectiveness: Super effective against Worm type malmons like Code Red; memory-only worm is eliminated through reboot after patching.

Option B: Selective Server Restoration & Revenue Priority

• Action: Quarantine confirmed infected servers, implement prioritized restoration for high-revenue retailers first, maintain shopping capabilities for unaffected retailers while accelerating platform-wide remediation.
• Pros: Allows continued holiday shopping operations for major retailers; protects platform business relationships through revenue-prioritized recovery.
• Cons: Risks continued worm propagation in non-prioritized infrastructure; platform continues participating in internet attacks during selective restoration.
• Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate worm presence or attack participation.

Option C: Platform Reboot & Mass Restoration

• Action: Perform coordinated platform-wide reboot to eliminate memory-only worm, rapidly restore all 5,000 online retailers simultaneously from backups, coordinate with internet security community about attack cessation.
• Pros: Fastest technical solution eliminating worm through memory clearing; demonstrates internet security responsibility through coordinated response.
• Cons: Requires complete platform downtime affecting all retailers simultaneously during Black Friday; doesn’t address underlying IIS vulnerability enabling future reinfection.
• Type Effectiveness: Partially effective against Worm malmon type; eliminates current infection but leaves vulnerability for rapid reinfection.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Discovery & Identification (30-35 min)

Investigation Clues:

• Clue 1 (Minute 5): Retailer Support Manager Yasmin reports 500+ urgent tickets from retailers seeing defacement messages instead of product catalogs on Black Friday morning. “Our retailers are losing millions in holiday sales every minute!”
• Clue 2 (Minute 10): Platform forensics reveal Code Red worm exploiting IIS buffer overflow in e-commerce infrastructure. The worm is autonomously spreading through 5,000 online retailers, defacing shopping pages with “HELLO! Welcome to http://www.worm.com! Hacked By Chinese!” during peak shopping traffic.
• Clue 3 (Minute 15): E-commerce network monitoring shows infected platform servers generating massive scanning traffic and participating in coordinated attacks against other retail and payment processing infrastructure on the busiest shopping day of the year.
• Clue 4 (Minute 20): Platform Security Director Gareth reveals that IIS patches were delayed to avoid disrupting Black Friday preparations. “We couldn’t risk platform updates during our critical revenue period - Black Friday represents 40% of annual retailer income.”

Response Options:

• Option A: Emergency Platform Reboot - Immediately reboot all infected platform servers to clear memory-only worm, restore retailer websites from backups, delay comprehensive patching until after Black Friday weekend.
  • Pros: Fastest path to retailer website restoration; minimal Black Friday disruption; maintains holiday shopping revenue.
  • Cons: Doesn’t patch underlying IIS vulnerability; servers will be reinfected within hours; continues internet attack participation risk.
  • Type Effectiveness: Partially effective - clears current infection but leaves reinfection vector open.
• Option B: Selective Patching with Revenue Priority - Patch high-revenue retailer websites first (major brands), quarantine remaining infected sites, restore services in revenue-prioritized order.
  • Pros: Protects highest-revenue retailers; balances security with business needs; enables controlled restoration.
  • Cons: Smaller retailers remain compromised; differential treatment damages platform trust; partial attack participation continues.
  • Type Effectiveness: Moderately effective - stops propagation in patched systems but worm remains active in others.
• Option C: Platform Isolation & Emergency Shopping Mode - Isolate entire platform from internet to stop attack participation, implement emergency read-only shopping catalog for Black Friday, defer full remediation to next week.
  • Pros: Stops platform’s attack participation immediately; maintains basic shopping capability; allows systematic patching post-holiday.
  • Cons: No transaction processing capability; massive revenue loss for all retailers; emergency mode requires rapid deployment.
  • Type Effectiveness: Moderately effective - contains threat but sacrifices revenue for security.

Round 2: Scope Assessment & Response (30-35 min)

Investigation Clues:

• Clue 5 (Minute 30): If Option A (reboot only) was chosen: Within 2 hours, platform is reinfected. Payment processors report that Brightpath Retail servers are attacking their infrastructure. “Visa and Mastercard gateways are being hammered by your platform.”
• Clue 5 (Minute 30): If Option B or C was chosen: Revenue analysis shows major retailers successfully processed Black Friday transactions, but 3,000 small retailers lost 8 hours of peak holiday shopping - representing £350M annual GMV in lost revenue affecting small business survival.
• Clue 6 (Minute 40): Platform forensics reveal worm has been resident for 12 hours, allowing potential access to customer payment data and retailer inventory systems during Black Friday shopping rush.
• Clue 7 (Minute 50): CEO receives calls from major retailers threatening platform migration if Black Friday revenue losses aren’t compensated. “John Lewis and Marks & Spencer are considering moving to competitor platforms next year.”
• Clue 8 (Minute 55): Legal counsel advises that customer payment data exposure requires breach notification under UK GDPR, ICO, CMA, PCI-DSS and state laws. Black Friday weekend timeline complicates customer communication about potential credit card compromise.

Response Options:

• Option A: Emergency Full Patching with Retailer Compensation - Deploy comprehensive IIS patching across entire platform immediately, coordinate simultaneous retailer website restoration, offer revenue-loss compensation to affected retailers, issue proactive payment data exposure notification.
  • Pros: Completely eliminates worm; demonstrates retailer partnership through compensation; meets regulatory requirements; protects long-term platform trust.
  • Cons: Brief downtime affects remaining Black Friday sales; compensation is expensive; acknowledges security failure during critical period.
  • Type Effectiveness: Super effective against Worm type - eliminates vulnerability and infection completely.
• Option B: Weekend Containment with Post-Holiday Remediation - Maintain current containment state through Black Friday weekend, implement emergency transaction security monitoring, schedule comprehensive patching for Monday after holiday weekend ends.
  • Pros: Maximizes Black Friday revenue recovery; allows systematic thorough patching; minimizes holiday disruption.
  • Cons: Extended vulnerability window; continued limited attack participation; delayed breach notification may violate regulations.
  • Type Effectiveness: Moderately effective - maintains containment but delays complete remediation.
• Option C: Third-Party Support & Parallel Platform - Engage external e-commerce security consultants, implement parallel backup shopping platform for critical retailers, conduct comprehensive forensic analysis of payment data exposure while maintaining operations.
  • Pros: Expert assistance accelerates response; business continuity for major retailers; thorough payment data assessment.
  • Cons: Expensive external support during holiday; potential payment data exposure to consultants; admission of insufficient internal capability.
  • Type Effectiveness: Moderately effective - improves response quality but extends timeline and increases cost.

Round Transition Narrative

After Round 1 → Round 2:

The team’s initial response determines whether the platform quickly returns to vulnerable operation (reboot approach) or maintains containment with significant retailer revenue impact (isolation/selective approaches). Either way, the situation escalates as major retailers threaten migration, payment processors report continued attacks, forensics reveals potential customer payment data exposure, and legal counsel demands regulatory compliance during the busiest shopping weekend of the year. The team must balance complete security remediation with retailer relationships, customer payment security, and Black Friday revenue recovery.

Full Game Materials (120-140 min, 3 rounds)

NoteHow Full Game Differs from Lunch & Learn

The Full Game expands the scenario from 2 guided rounds to 3 open-ended rounds. Players drive their own investigation using the Key Discovery Paths above rather than receiving timed clues. Round 3 shifts from immediate crisis response to long-term strategic recovery. Rounds run 30-35 minutes each with more open-ended decision-making. Use the Resolution Pathways section to guide your assessment of team progress.

Round 1: Initial Black Friday Worm Outbreak (30 min)

14:30 on a Wednesday at Brightpath Retail - the e-commerce platform serves 5,000 online retailers during the biggest shopping day of the year, with £350M annual GMV in retailer revenue flowing through the platform. Security Director Gareth detects massive scanning traffic from the platform’s IIS servers, while Retailer Support Manager Yasmin reports a flood of urgent tickets: retailer websites are displaying defacement messages instead of Black Friday deals.

Open investigation guidance: All four Key Discovery Paths are available. Teams typically uncover the unpatched IIS buffer overflow vulnerability (delayed for Black Friday stability), the worm’s autonomous propagation across the shared hosting infrastructure, and the scope of retailer impact (thousands of websites defaced, payment processing disrupted during peak shopping hours).

If the team stalls: “Security Director Gareth reveals that he flagged this IIS vulnerability weeks ago, but management decided to delay patching to avoid risking platform stability during Black Friday preparation - ‘Nobody wanted to be the one who broke the shopping platform before the biggest retail day of the year.’”

Facilitation questions:

• “The worm is memory-resident - rebooting servers clears it temporarily but reinfection happens within minutes without patching. How does that change your containment approach?”
• “5,000 online retailers are losing Black Friday revenue right now, and 40% of annual revenue for many small businesses happens this weekend - how urgent is restoration versus investigation?”
• “The platform’s infected servers are attacking payment processor gateways - what are the broader ecosystem implications beyond your own retailers?”

Round 1→2 Transition

The investigation confirms automated IIS worm propagation across the entire e-commerce platform. CEO Oliver Thompson faces the core tension: patching requires taking the platform offline during Black Friday’s peak hours, but leaving it running means continued retailer website defacement and payment data exposure. Legal Counsel Catherine Whitmore adds: the worm’s 12-hour dwell time during peak shopping means customer payment data is potentially exposed, triggering UK GDPR, ICO, CMA, PCI-DSS notification requirements.

Round 2: Revenue Crisis & Payment Data Exposure (35 min)

If teams chose immediate platform isolation: All 5,000 online retailers are offline during Black Friday. Small retailers (3,000+) face potential business failure from lost holiday revenue. Major retailers are threatening platform migration. Patching proceeds but the revenue damage is catastrophic and growing every hour.

If teams attempted targeted remediation: Worm continues spreading through unpatched servers. Some retailer websites restored but reinfection cycle continues. Payment data exposure window extending. Competing platforms (Shopify, BigCommerce) offering emergency migration incentives to affected retailers.

New developments beyond Round 1: Forensic analysis reveals the platform’s infected servers are participating in coordinated DDoS attacks against Visa and Mastercard payment gateways - threatening the entire retail payment infrastructure, not just Brightpath Retail. Customer credit card data from Black Friday transactions was potentially accessible during the worm’s dwell time. Major retailers (John Lewis and Marks & Spencer) threatening immediate platform migration.

Facilitation questions:

• “3,000 small retailers depend on Black Friday for 40% of annual revenue - does their survival change how you prioritize restoration versus security?”
• “UK GDPR, ICO, CMA, PCI-DSS requires customer notification within 72 hours for payment data breaches, but Black Friday weekend notifications would trigger mass credit card cancellations - how do you handle this timing dilemma?”
• “Your platform is attacking payment processors - what’s your responsibility to the broader retail ecosystem beyond your own customers?”

Round 2→3 Transition

The immediate worm propagation is contained - servers are patched and retailer websites are being restored. But the damage is extensive: hours of Black Friday revenue lost, potential payment data exposure affecting millions of transactions, and 5,000 online retailers strained. Focus shifts from hours to weeks: retailer compensation, UK GDPR, ICO, CMA, PCI-DSS compliance, and platform security architecture.

Round 3: Long-Term Platform Recovery & Retailer Trust (35 min)

Two weeks post-Black Friday. Revenue impact assessments are in - small retailers lost an average of 60% of expected Black Friday revenue, with some facing insolvency. UK GDPR, ICO, CMA, PCI-DSS investigation is active. Brightpath Retail faces a defining question: how do you rebuild as a trusted e-commerce platform when you failed your retailers during their most critical business day?

Investigation focus areas:

• Platform security architecture - Security Director Gareth proposes: automated vulnerability management, security-first patch deployment policy (no more delaying patches for business convenience), infrastructure segmentation to limit worm blast radius. 6-8 weeks, £200K investment
• Retailer relationship assessment - CEO Oliver Thompson evaluates: retailer attrition risk (major retailers considering migration, small retailers considering alternatives), SLA credit obligations, and long-term retailer retention strategy
• Payment data compliance - Legal Counsel Catherine Whitmore managing UK GDPR, ICO, CMA, PCI-DSS investigation, customer notification obligations, and potential liability for payment data exposure during Black Friday transactions
• Small business impact - Yasmin reports that dozens of small retailers face potential closure from lost Black Friday revenue; some are requesting emergency financial support from the platform

Pressure events:

• Information Commissioner’s Office opens formal investigation into payment data handling during the breach window
• Class of small retailers files collective legal action seeking Black Friday revenue compensation
• Competing platforms publicly announce “security-guaranteed” Black Friday 2026 campaigns, positioning against Brightpath Retail
• Industry press publishes feature on “The Platform That Ruined Black Friday for 5,000 online retailers”

Facilitation questions:

• “Small retailers face business failure from lost Black Friday revenue - what obligation does the platform have beyond SLA credits?”
• “Management deliberately delayed security patches to protect Black Friday revenue, and that decision caused the breach - how should that accountability work?”
• “How do you convince 5,000 online retailers to trust the platform for next year’s holiday season?”

Victory Conditions

• Worm eliminated with comprehensive platform patching and infrastructure verification
• Retailer website restoration completed with revenue impact assessment
• UK GDPR, ICO, CMA, PCI-DSS compliance response coordinated for payment data exposure
• Retailer trust and retention strategy demonstrated for both enterprise and small business segments

Debrief Focus (Full Game)

• How deliberate patch delay decisions during high-revenue periods create vulnerability windows that attackers exploit
• The disproportionate impact of platform outages on small businesses versus enterprises during critical revenue periods
• Why e-commerce platform security failures cascade through payment processing ecosystems affecting far more than direct customers
• The UK GDPR, ICO, CMA, PCI-DSS notification timing dilemma when breaches occur during peak shopping periods
• Accountability frameworks when management security decisions directly cause the conditions for a breach

Advanced Challenge Materials (150-170 min, 3+ rounds)

Red Herrings & Misdirection

• {{deadline}} load scaling - platform automatically scales infrastructure during traffic surges; some server restarts and reconfigurations are legitimate load management, not worm activity
• Retailer custom integration failures - several major retailers implemented custom checkout integrations that break during platform updates, creating confusion about worm defacement versus integration issues
• Previous {{deadline}} outage - last year, a different issue caused a 4-hour platform disruption; creates misdirection about whether current incident involves same root causes
• Competitive DDoS speculation - some retailers initially speculate competitors attacked the platform to gain {{deadline}} market share, misdirecting from actual worm propagation

Removed Resources & Constraints

• Security Director sidelined - {{npc_security_director_name}}’s earlier warnings about the patch delay are now politically sensitive; management limits his communication role to avoid “I told you so” narrative
• No automated patch deployment - platform lacks infrastructure-as-code deployment pipeline for emergency patches, requiring manual server-by-server remediation
• Holiday staffing gaps - {{deadline}} weekend means skeleton IT crew; calling in staff requires significant overtime during a budget-constrained quarter
• Payment processor communication blackout - {{payment_processors}} security teams impose information sharing restrictions during their own investigation, limiting coordination

Enhanced Pressure

• Regulatory investigation escalation - {{state_authority}} opens consumer protection investigation into {{deadline}} payment data exposure
• Retailer coalition threat - 200+ small retailers form emergency coalition threatening collective migration and public campaign against {{org_name}}
• Insurance coverage dispute - cyber insurance carrier argues the patch delay constitutes “negligent security practices” excluded from coverage
• Board of directors intervention - board demands emergency meeting to discuss management accountability for the patch delay decision

Ethical Dilemmas

• Tiered retailer restoration - major retailers ({{major_retailer_revenue}}) get priority restoration while 3,000 small retailers wait; is this pragmatic triage or discriminatory treatment that compounds small business harm?
• Patch delay accountability - management decided to delay patches, but IT staff implemented the decision; who bears responsibility when institutional decisions create vulnerability?
• {{regulatory_framework}} notification versus holiday impact - strict compliance requires customer notification during {{deadline}} weekend, triggering mass credit card cancellations that compound retailer losses; does regulatory timing flexibility exist?
• Small retailer survival assistance - dozens of small businesses face closure from lost {{deadline}} revenue; does {{org_name}} have moral obligation to provide financial support beyond contractual SLA credits?

Advanced Debrief Topics

• How revenue-driven patch delay decisions create systematic vulnerability windows during precisely the periods when breaches cause maximum damage
• The ethics of tiered service restoration during platform outages when small businesses face existential consequences
• Why e-commerce platform security failures cascade through payment processing ecosystems affecting far more than direct customers
• How {{regulatory_framework}} notification timing requirements interact with seasonal business patterns to create compounding harm
• Accountability frameworks for institutional security decisions where management pressure creates the conditions for breaches